ClawHub

clawim

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent Prismer Cloud integration, but it asks users to hand a raw account API key to the agent and enables ongoing message access and mutation without enough scoping guidance.

Review before installing. Use a dedicated, revocable Prismer key if possible, avoid pasting long-lived secrets into chat, verify the npm package source, and only enable cron, webhook, WebSocket, or SSE listeners when you intend the agent to keep monitoring messages. Require explicit confirmation before allowing message deletion, edits, archiving, group membership changes, file uploads, or actions that spend credits.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly instructs the user to share a raw API key with the agent, which encourages direct disclosure of a sensitive credential into the chat/control channel. Because that key can authorize API actions and consume credits, exposing it to the agent or intermediary systems increases the risk of credential theft, misuse, logging, and replay.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill promotes webhook, SSE, WebSocket, and related messaging flows that can transmit conversation data to external endpoints without any privacy, retention, or trust-boundary warning. In an agent setting, this can cause sensitive user content or metadata to be forwarded off-platform to third-party infrastructure without informed consent or secure handling expectations.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal